Operational Resilience

With developments in technology and potential heightened risk for an extreme-but-plausible event, companies have implemented resilience roles to oversee operational processes and controls and understand the complexity of the organisation and economic environment. Owning an operational resilience programme within an organisation involves governance of the programme, technology change to enhance recovery, and the adoption of a cultural change to embed resilience in the minds of all employees.

Some key questions the Head of Resilience should ask are:

• How resilient is my organisation?
• Should my organisation be more resilient?
• Is there a defined operational resilience framework and programme in place to deliver on each component?
• Are there real-time lessons to be learned from tracking?
• Where are the key resource vulnerabilities across my important business services (i.e., people, process, information, technology, facilities, and third parties)?
• How do current and planned changes in our business model impact our current operational resilience programme?
• Do we expect to have a clear view of our vulnerabilities, and funding and action plans to address them by Q1 2022?
• Do we have an agile and rapid response to incidents?
• Does the current technology stack enable me to provide a clear and concise view of our state of resilience to the Board and Senior Management Team?
• Do we have the right level of stakeholder participation across the business?

Quantifying downtime can come in many forms but, at its core, it is a function of the cost of being down against a function of time. A firm can accept loss from an operational disruption for a specific period of time, after which it is bound to go out of business. The severity of the cost impact will dictate how long the firm can absorb the disruption. Calculating the organisation’s initial level of resilience and reporting that information will allow the organisation to effectively assess the recovery of an important business service or process and determine the related potential downtime and cost assumptions.

Some key questions the CISO should ask are:

• How resilient is my organisation?
• Should my organisation be more resilient?
• Do identified IBS have sufficient cyber focus/monitoring in place to provide appropriate threat deterrent?
• Do we have cyber attendance at Op Res governance forums? (Including change boards)?
• Do we operate a Lessons Learned database to allow for the allocation, tracking and resolution of Op Res identified actions?
• Are our monitoring and response capabilities tied into broader enterprise-wide operational resilience efforts?
• Have we integrated key considerations?
• How do we validate that our outsourced IBS are appropriately secured (contracts, reporting, evidence)? How does our business model support our ability to respond and recover? Do we have flexible, dynamic and empowered resources to work across silos?

As heads of technology for an organisation there will be incredible challenges with aligning technology strategy and spend with the needs of resilience. Regulated institutions should be able to demonstrate not only their ability to keep important business services running but also how they can keep data secure.

Some key questions the CIO/CTO should ask are:

• How vulnerable are we to a cyberattack or an unpredictable catastrophic event?
• What impact will that have on the organisation?
• How can we create long-term competitive advantages through our focus on Operational Resilience?
• What learnings can we apply from the pandemic to our approach to Operational Resilience?
• As we identify key IT initiatives, are we considering the negative or positive impacts on the resilience of business services?
• What does the technology landscape look like to support our future business state and how do we build resilience into its design?
• Does the change advisory board/process consider resilience as a key attribute and how are these changes escalated/approved?

Incorporating a comprehensive resilience assurance approach into existing governance and foundational element audits will enable firms to develop a resiliency culture and position themselves to respond effectively to common operational disruptions as well as extreme-but-plausible events that could threaten the viability of their organisations, customers and financial markets. The bar in auditing resilience will align with the current third line work efforts, as resilience will be, if it is not already, a critical part of an ongoing audit plan. Self-assessment will advance the work efforts of the third line and provide regulators some comfort that the recoverability of the firm is acceptable.

Some key questions the CAE should ask are:

• How does the organisation approach operational resilience and how engaged are the board and executives in the operational resilience programme and establishment of the resiliency strategy or objective?
• Has our organisation clearly defined and articulated its important business services and impact tolerances?
• Do we have a process of testing our ability to withstand and respond to extreme-but-plausible events?
• Does our team have visibility into foundational elements of the organisation?
• How do IA findings report into the Op Res governance structure?
• Do we have a dynamic assurance process in place to respond to business needs?

The expectations for regulated institutions include ownership of their operational resilience, prioritising plans and investment choices based on their impacts on the public interest and communicating clearly to customers when disruptions occur. Regulated institutions should be prepared to address issues (e.g., large-scale and sustained power outages) that may extend their resilience beyond their impact tolerances.

Some key questions the CRO should ask are:

• How is operational resilience governed effectively within the organisation?
• Do we have dynamic risk assessments in place, supported by good information flows across the organisation, to identify emerging risks quickly?
• Does the existing governance model allow for appropriate routes of risk escalation, and is enough focus being applied?
• Has our risk profile changed as a result of the changing threat landscape (i.e., pandemic, multiple incidents)?
• How has the control environment changed and what additional assurance needs to be provided?

The culture of the firm, starting at the board level, has a significant impact on the resilience a firm. Culture will drive firms’ decision, actions by employees, and assure firms are conducting themselves to enhance resilience and decrease harm.

The tone must be set at the top of the organisation for resilience to become a part of business as usual. The ability to recover from an event so that consumers are not harmed, should drive key decisions around project selection, technology implementation and other key functions of the firm.

Some key questions the Board of Directors should ask are:

• How resilient is our organisation?
• How do we track changes in resilience within our organisation?
• Do we receive the right level of information about the state of resiliency within our firm?
• How is our operational programme organised, who is responsible for preparing for and responding to various resilience events, and to what extent are the line-of-business leaders engaged?
• How prepared is the organisation for operational resilience? Has management given the topic sufficient attention to ensure organisational preparedness?
• How does the organisation approach operational resilience, and how engaged are the board and senior executives in establishing the overall operational resilience objectives and strategy, and monitoring the execution of that strategy?
• Has the organisation defined its important business services, as well as the impact tolerances for those services? Has it considered the extreme-but-plausible events that could result in an impact that exceeds established tolerances?
• Has management demonstrated a clear understanding of the organisation’s dependencies on third-party vendors and the level of risk they introduce into the delivery of important business services?
• How does our business model support our ability to respond and recover? Do we have flexible, dynamic and empowered resources to work across silos? Do we have a robust internal and external communication strategy in place for use during operational disruptions?
• Has management allocated sufficient funding and attention to address identified vulnerabilities?